update xrefs to NIST 800-53 to match revision 5

[jdaoust]

All the references to the NIST Special Publication 800-53 Revision 4 document in the matrix we’re updated to references to the corresponding sections in the NIST Special Publication 800-53 Revision 5 document. A log of all the changes (or lack thereof) was kept for each “Ref #” contained in the matrix (available in the “NMFTA TCRM Update Log for NIST 800-53 r5 xrefs” spreadsheet document hereby attached). Most of the information about the changes is also available in another shape in a spreadsheet document published by the NIST called “Analysis of updates between 800-53 Rev. 5 and Rev. 4” available here: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. This only represents an additional way to keep track of the modifications that were brought to the references in the matrix as each modification was recorded independently of that document in order to be more thorough (the NIST spreadsheet sometimes overlooked smaller changes).

The README file was also changed accordingly, to include the updated reference.

NMFTA TCRM Update Log for NIST 800-53 r5 xrefs.xlsx

Additionally, here is a text-diff of the changes to the XLS:

diff --git a/ORIGINAL_TCRM.csv b/MODIFIED_TCRM.csv
index 4ed20d3..91438fa 100755
--- a/ORIGINAL_TCRM.csv
+++ b/MODIFIED_TCRM.csv
@@ -1,42 +1,42 @@
 Applicable Component Categories,Ref #,Category,Requirement,Public Requirements References/Descriptions ,"Verification: Inspection, Demonstration, Test, or Analysis ","Criticality:
 High, Medium, or Low",Remarks,Combined Ref + Security Control + Requirement,Mobile App,Vehicle Connection,Connectivity/Communications,Cloud or Back-end
-Cloud or Back-end;,AA-010,Audit and Accountability,The vendor's system shall record event and system logs,"NIST 800-53 AU-2 – AUDIT EVENTS 
-The organization:
-a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
-b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
-c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
-d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
-
-NIST 800-53 AU-2 (3) – AUDIT EVENTS | REVIEWS AND UPDATES
-
-The organization reviews and updates the audited events [Assignment: organization-defined frequency].
+Cloud or Back-end;,AA-010,Audit and Accountability,The vendor's system shall record event and system logs,"NIST 800-53 r5 AU-2 – EVENT LOGGING 
+a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
+b. Coordinate the event logging function with other organizational entities requiring auditrelated information to guide and inform the selection criteria for events to be logged;
+c. Specify the following event types for logging within the system: [Assignment: organizationdefined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
+d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
+e. Review and update the event types selected for logging [Assignment: organization-defined frequency].

 CTIA ICCTP 4.7 Audit Log",Inspection of vendor-supplied documentation detailing locations where audit logs are stored and the types of events logged.,Medium,"Ideally the logs are immutable,  backed up, and retained for a certain period of time",AA-010 (Audit and Accountability) - The vendor's system shall record event and system logs,No,No,No,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-010,Protecting Data on Devices,"Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.","NIST 800-53 SI-16 - MEMORY PROTECTION 
-The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
+Cloud or Back-end;",AC-010,Protecting Data on Devices,"Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.","NIST 800-53 r5 SI-16 - MEMORY PROTECTION 
+Implement the following controls to protect the system memory from unauthorized
+code execution: [Assignment: organization-defined controls].

-NIST 800-53 AC-6 (4) - LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS 
-The information system provides separate processing domains to enable finer-grained allocation of user privileges.
+NIST 800-53 r5 AC-6 (4) - LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS 
+Provide separate processing domains to enable finer-grained allocation of user privileges.

-NIST 800-53 SC-2 – APPLICATION PARTITIONING 
-The information system separates user functionality (including user interface services) from information system management functionality.
+NIST 800-53 r5 SC-2 – SEPARATION OF SYSTEM AND USER FUNCTIONALITY
+Separate user functionality, including user interface services, from system management
+functionality.

-NIST 800-53 SC-2 (1) - APPLICATION PARTITIONING | INTERFACES FOR NON-PRIVILEGED USERS 
-The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
+NIST 800-53 r5 SC-2 (1) - SEPARATION OF SYSTEM AND USER FUNCTIONALITY | INTERFACES FOR NON-PRIVILEGED USERS 
+Prevent the presentation of system management functionality at interfaces to nonprivileged users.

-NIST 800-53 AC-25 – REFERENCE MONITOR 
-The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.","Inspection of vendor-supplied design documentation detailing the privilege separation of the device. Ensure that 1) a Mandatory Access Control scheme is employed 2) there are separate domains/users/roles (whichever is applicable to the MAC) for dealing with the sensitive information (vendor defined, see SCP-030) and finally 3) accounts for running system tasks (e.g. crond, portmap, systemd) are not in the separate domains/users/roles for dealing with sensitive information.",Medium,e.g. a Linux system with MAC configured to deny access to the processes dealing with protected data and also denying debugger access to the memory space of those processes.,"AC-010 (Protecting Data on Devices) - Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.",Yes,Yes,Yes,Yes
+NIST 800-53 r5 AC-25 – REFERENCE MONITOR 
+Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.","Inspection of vendor-supplied design documentation detailing the privilege separation of the device. Ensure that 1) a Mandatory Access Control scheme is employed 2) there are separate domains/users/roles (whichever is applicable to the MAC) for dealing with the sensitive information (vendor defined, see SCP-030) and finally 3) accounts for running system tasks (e.g. crond, portmap, systemd) are not in the separate domains/users/roles for dealing with sensitive information.",Medium,e.g. a Linux system with MAC configured to deny access to the processes dealing with protected data and also denying debugger access to the memory space of those processes.,"AC-010 (Protecting Data on Devices) - Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.",Yes,Yes,Yes,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-020,Protecting Actions on Devices,"All actions taken by the vendor's telematics system that are capable of supporting access controls shall be configured such that each user account or process/service account are assigned only the minimal privileges required to perform the specific, intended, actions of the user or process/service account.","NIST 800-53 AC-6 – LEAST PRIVILEGE 
-The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
+Cloud or Back-end;",AC-020,Protecting Actions on Devices,"All actions taken by the vendor's telematics system that are capable of supporting access controls shall be configured such that each user account or process/service account are assigned only the minimal privileges required to perform the specific, intended, actions of the user or process/service account.","NIST 800-53 r5 AC-6 – LEAST PRIVILEGE 
+Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

-NIST 800-53 AC-6 (1) - LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS 
-The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
+NIST 800-53 r5 AC-6 (1) - LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS 
+Authorize access for [Assignment: organization-defined individuals or roles] to:
+(a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
+(b) [Assignment: organization-defined security-relevant information].

 CTIA ICCTP 5.17 Design-In Features “designed to separate critical functions from non”","Inspection of vendor documentation or a demonstration by the vendor that details how software privileges are assigned in vendor systems. Ensure that principles of least privilege are met.

@@ -48,11 +48,11 @@ CTIA ICCTP 5.17 Design-In Features “designed to separate critical functions fr
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-030,Access Control,The vendor's system shall employ authentication to prevent unauthorized access to telematics systems and data.,"NIST 800-53 AC-6 – LEAST PRIVILEGE
-The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
+Cloud or Back-end;",AC-030,Access Control,The vendor's system shall employ authentication to prevent unauthorized access to telematics systems and data.,"NIST 800-53 r5 AC-6 – LEAST PRIVILEGE
+Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

-NIST 800-53 AC-3 – ACCESS ENFORCEMENT 
-The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
+NIST 800-53 r5 AC-3 – ACCESS ENFORCEMENT 
+Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

 FMCSA GDL 32 Make sure local wireless interfaces like Bluetooth or Wi-Fi don't provide admin access without authentication.","Inspection of vendor documentation detailing the methods used to authenticate users. Ensure that an acceptable method of authentication is available for all components which be interfaced-to by carrier staff and systems.

@@ -62,36 +62,28 @@ e.g. PINs, single-sign on with carrier’s identity provider (SAML or other), ve
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-040,Access Control,The vendor shall identify all instances where the telematics system includes actions that cannot support access authentication and/or execute with elevated privileges,"NIST 800-53 AC-14 – PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 
-The organization:
-a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
-
-b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
+Cloud or Back-end;",AC-040,Access Control,The vendor shall identify all instances where the telematics system includes actions that cannot support access authentication and/or execute with elevated privileges,"NIST 800-53 r5 AC-14 – PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 
+a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
+b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

-NIST 800-53 AC-6 – LEAST PRIVILEGE 
-The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","Inspection of vendor-supplied documentation listing system actions and interfaces that do not require authentication. Ensure that the list is short, that each entry in the list is acceptable to you (the carrier), and there is a justifiable reason for no-authentication on each item in the list.",Medium,-,AC-040 (Access Control) - The vendor shall identify all instances where the telematics system includes actions that cannot support access authentication and/or execute with elevated privileges,Yes,Yes,Yes,Yes
+NIST 800-53 r5 AC-6 – LEAST PRIVILEGE 
+Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","Inspection of vendor-supplied documentation listing system actions and interfaces that do not require authentication. Ensure that the list is short, that each entry in the list is acceptable to you (the carrier), and there is a justifiable reason for no-authentication on each item in the list.",Medium,-,AC-040 (Access Control) - The vendor shall identify all instances where the telematics system includes actions that cannot support access authentication and/or execute with elevated privileges,Yes,Yes,Yes,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-041,Access Control,Identifying information about the connected devices will not be made available without authentication first.,"NIST 800-53 AC-14 – PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 
-The organization:
-a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
-
-b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.",Inspection of vendor-supplied documentation listing system actions and interfaces that do not require authentication. Ensure that no information leaks are possible from these unauthenticated actions.,Medium,"e.g. it should not be possible to identify the device type nor firmware version by port scanning a connected device. Also, it should not be able to determine that a vehicle is operational or not via non-authorized connections.",AC-041 (Access Control) - Identifying information about the connected devices will not be made available without authentication first.,Yes,Yes,Yes,Yes
+Cloud or Back-end;",AC-041,Access Control,Identifying information about the connected devices will not be made available without authentication first.,"NIST 800-53 r5 AC-14 – PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 
+a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
+b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.",Inspection of vendor-supplied documentation listing system actions and interfaces that do not require authentication. Ensure that no information leaks are possible from these unauthenticated actions.,Medium,"e.g. it should not be possible to identify the device type nor firmware version by port scanning a connected device. Also, it should not be able to determine that a vehicle is operational or not via non-authorized connections.",AC-041 (Access Control) - Identifying information about the connected devices will not be made available without authentication first.,Yes,Yes,Yes,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",AC-050,Access Control,All remote access methods and possible remote actions to/on telematics system shall be documented.,"NIST 800-53 AC-17 – REMOTE ACCESS 
-The organization:
-a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
-
-b. Authorizes remote access to the information system prior to allowing such connections.",Inspection of vendor-supplied documentation listing the methods of remote access and the actions that can be performed. Ensure that the remote access methods and actions are justifiable and also ensure that all remote methods require authentication (i.e. ensure none of them are listed in vendor documentation for AC-040),Medium,-,AC-050 (Access Control) - All remote access methods and possible remote actions to/on telematics system shall be documented.,Yes,Yes,Yes,Yes
+Cloud or Back-end;",AC-050,Access Control,All remote access methods and possible remote actions to/on telematics system shall be documented.,"NIST 800-53 r5 AC-17 – REMOTE ACCESS 
+a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
+b. Authorize each type of remote access to the system prior to allowing such connections",Inspection of vendor-supplied documentation listing the methods of remote access and the actions that can be performed. Ensure that the remote access methods and actions are justifiable and also ensure that all remote methods require authentication (i.e. ensure none of them are listed in vendor documentation for AC-040),Medium,-,AC-050 (Access Control) - All remote access methods and possible remote actions to/on telematics system shall be documented.,Yes,Yes,Yes,Yes
 "Physical In-Cab Device;
-Connectivity/Communications;",AC-060,Access Control,"For all components of the system, the vendor shall provide a listing of all wireless communication interfaces to the system and specify how the interfaces can be configured and/or disabled.","NIST 800-53 AC-18 – WIRELESS ACCESS 
-The organization:
-a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
-
-b. Authorizes wireless access to the information system prior to allowing such connections.","Inspection of vendor-supplied documentation detailing what wireless communications hardware is present, which wireless communications methods can be disabled, and how wireless communications enablement or disablement is managed.",Medium,"e.g. Bluetooth, cellular, satellite, Wi-Fi hotspot, Wi-Fi client, infrared, NFC, RFID","AC-060 (Access Control) - For all components of the system, the vendor shall provide a listing of all wireless communication interfaces to the system and specify how the interfaces can be configured and/or disabled.",No,Yes,Yes,No
+Connectivity/Communications;",AC-060,Access Control,"For all components of the system, the vendor shall provide a listing of all wireless communication interfaces to the system and specify how the interfaces can be configured and/or disabled.","NIST 800-53 r5 AC-18 – WIRELESS ACCESS 
+a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
+b. Authorize each type of wireless access to the system prior to allowing such connections.","Inspection of vendor-supplied documentation detailing what wireless communications hardware is present, which wireless communications methods can be disabled, and how wireless communications enablement or disablement is managed.",Medium,"e.g. Bluetooth, cellular, satellite, Wi-Fi hotspot, Wi-Fi client, infrared, NFC, RFID","AC-060 (Access Control) - For all components of the system, the vendor shall provide a listing of all wireless communication interfaces to the system and specify how the interfaces can be configured and/or disabled.",No,Yes,Yes,No
 "Physical In-Cab Device;
 Connectivity/Communications;",AC-061,Access Control,"The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.","[GDL 39] Only use WPA2 authentication / encryption. Never use WEP, WPS, or “open” Wi-Fi.","Test that the device will not connect to WEP, WPS or open Wi-Fi hotspots.",Medium,,"AC-061 (Access Control) - The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.",No,Yes,Yes,No
 "Physical In-Cab Device;
@@ -100,11 +92,10 @@ Connectivity/Communications;",AC-062,Access Control,"The vendor shall implement,
 [GDL 45] Numeric Comparison is preferred to Passkey Entry for pairing.","Test that it is not possible to pair with the device 5 minutes after enabling pairing on the device. Test that pairing does not support SSP or passkey, only numeric comparison.",Medium,,"AC-062 (Access Control) - The vendor shall implement, for all bluetooth interfaces,  pairing that must be specifically allowed by physical controls on the device and be time-limited. Furthermore, pairing will not use legacy pairing or passkey entry.",No,Yes,Yes,No
 "Physical In-Cab Device;
 Connectivity/Communications;",AC-063,Access Control,Any and all software or firmware implementing wirelss interface encrytion+authentication (those satisfying AC-061 and AC-062 above) will be prepared for future deprecation of methods. i.e. That software/firmware is upgradable.,,Inspection of vendor-supplied documentation confirming upgradability of the software implementing encryption+authentication of wireless interfaces.,Medium,,AC-063 (Access Control) - Any and all software or firmware implementing wirelss interface encrytion+authentication (those satisfying AC-061 and AC-062 above) will be prepared for future deprecation of methods. i.e. That software/firmware is upgradable.,No,Yes,Yes,No
-Cloud or Back-end;,AC-070,Identification and Authentication,Authentication attempts to the vendor’s devices and backends shall be rate-limited to an industry accepted rate.,"NIST 800-53 AC-7 - UNSUCCESSFUL LOGON ATTEMPTS 
-The information system:
-a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
-
-b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
+Cloud or Back-end;,AC-070,Identification and Authentication,Authentication attempts to the vendor’s devices and backends shall be rate-limited to an industry accepted rate.,"NIST 800-53 r5 AC-7 - UNSUCCESSFUL LOGON ATTEMPTS 
+a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
+b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum 
+number of unsuccessful attempts is exceeded.

 CTIA ICCTP 5.2 Password Management Test",Inspection of vendor-supplied documentation detailing the methods used to enforce rate limiting.,Medium,-,AC-070 (Identification and Authentication) - Authentication attempts to the vendor’s devices and backends shall be rate-limited to an industry accepted rate.,No,No,No,Yes
 "Mobile App;
@@ -118,11 +109,9 @@ FMCSA GDL 40 Always use a complex, unique password per device.

 FMCSA GDL 43 Always use a complex, unique password per device.",Inspection of vendor-supplied documentation detailing the local authentication and how the unique credential is generated. Ensure that the generation of this credential cannot be guessed from public information.,Medium,"This requirement applies to many common facilities found on devices. e.g. local management portals, local Wi-Fi access points, Bluetooth pairing codes, local ssh servers, local serial console logins",AC-080 (Device-Local Authentication) - All authentication offered on device-local interfaces shall expect credentials which are unique to each device instance and uncorrelated to any and all public information about the device.,Yes,Yes,Yes,No
 "Physical In-Cab Device;
-Connectivity/Communications;",CM-010,Protecting Actions on Devices,All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,"NIST 800-53 CM-7 – LEAST FUNCTIONALITY 
-The organization:
-a. Configures the information system to provide only essential capabilities; and
-
-b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
+Connectivity/Communications;",CM-010,Protecting Actions on Devices,All components of the vendor's system shall be configured to utilize the principle of least functionality and use only the services necessary for secure operations of the system and remove unnecessary services’ executables or at least disabled such that their execution (by even superuser) is not possible in deployed systems.,"NIST 800-53 r5 CM-7 – LEAST FUNCTIONALITY 
+a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
+b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

 CTIA ICCTP 5.17 Design-In Features “deny all inbound and outbound network connections by default

@@ -132,11 +121,9 @@ FMCSA GDL 21 Where possible, remove code that isn't used",Inspection of vendor d
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",CM-020,Configuration Management,The vendor’s devices shall have all services used for troubleshooting disabled or properly protected from unauthorized access and use.,"NIST 800-53 CM-7 – LEAST FUNCTIONALITY 
-The organization:
-a. Configures the information system to provide only essential capabilities; and
-
-b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
+Cloud or Back-end;",CM-020,Configuration Management,The vendor’s devices shall have all services used for troubleshooting disabled or properly protected from unauthorized access and use.,"NIST 800-53 r5 CM-7 – LEAST FUNCTIONALITY 
+a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
+b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

 FMCSA GDL 54 Disable unnecessary debugging interfaces in production.

@@ -148,11 +135,9 @@ Ensure that none of the services available are without authentication (see AC-03
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",CM-030,Configuration Management,Vendor ensures that any and all interfaces used for testing or debug are unavailalbe in production builds of the devices,"NIST 800-53 CM-7 – LEAST FUNCTIONALITY
-The organization:
-a. Configures the information system to provide only essential capabilities; and
-
-b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
+Cloud or Back-end;",CM-030,Configuration Management,Vendor ensures that any and all interfaces used for testing or debug are unavailalbe in production builds of the devices,"NIST 800-53 r5 CM-7 – LEAST FUNCTIONALITY
+a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
+b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

 CAIQ CCC-03.4 Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

@@ -166,15 +151,15 @@ Ensure that there are no services for test or debug active in the device. Ideall
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",IA-010,Identification and Authentication,All remote hosts of the vendor's system shall be configured to uniquely identify and authenticate all other remote hosts of the system and/or any other interfacing systems.,"NIST 800-53 IA-3 – DEVICE IDENTIFICATION AND AUTHENTICATION 
-The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.","Inspection of vendor-supplied documentation detailing how devices and components are uniquely identified.
+Cloud or Back-end;",IA-010,Identification and Authentication,All remote hosts of the vendor's system shall be configured to uniquely identify and authenticate all other remote hosts of the system and/or any other interfacing systems.,"NIST 800-53 r5 IA-3 – DEVICE IDENTIFICATION AND AUTHENTICATION 
+Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.","Inspection of vendor-supplied documentation detailing how devices and components are uniquely identified.

 Ensure that interfacing systems can query and/or inspect these unique identifiers.",Medium,e.g. that a remote system authenticate the other remote parties by referring to the unique identifiers using mutually authenticated TLS,IA-010 (Identification and Authentication) - All remote hosts of the vendor's system shall be configured to uniquely identify and authenticate all other remote hosts of the system and/or any other interfacing systems.,Yes,Yes,Yes,Yes
 "Physical In-Cab Device;
 Connectivity/Communications;",IA-020,Identification and Authentication,"Any authenticators (unique identification) for devices used in vendor’s systems shall be uncorrelated to any and all public information about the device, e.g. lot number, product number, serial number MAC address are all unacceptable inputs to device identifiers.

-Where public information is any information that is visible (externally or internally) on the device or discoverable by searches based on that visible information.","NIST 800-53 IA-3 – DEVICE IDENTIFICATION AND AUTHENTICATION 
-The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
+Where public information is any information that is visible (externally or internally) on the device or discoverable by searches based on that visible information.","NIST 800-53 r5 IA-3 – DEVICE IDENTIFICATION AND AUTHENTICATION 
+Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

@@ -189,8 +174,8 @@ Where public information is any information that is visible (externally or inter
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",IA-030,Identification and Authentication,Cryptographic modules used in the vendors system shall be compliant with Federal Information Processing Standards (FIPS) 140-2: Level 1.,"NIST 800-53 IA-7 – CRYPTOGRAPHIC MODULE AUTHENTICATION 
-The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
+Cloud or Back-end;",IA-030,Identification and Authentication,Cryptographic modules used in the vendors system shall be compliant with Federal Information Processing Standards (FIPS) 140-2: Level 1.,"NIST 800-53 r5 IA-7 – CRYPTOGRAPHIC MODULE AUTHENTICATION 
+Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

@@ -207,22 +192,22 @@ Ensure that their procurement processes require that all cryptographic modules a
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",IR-010,Incidence Response,The vendor shall have a documented incident response plan (IRP) in place which provides the carriers with a point of contact for components used within their telematics system,"NIST 800-53 IR-8 - INCIDENT RESPONSE PLAN 
-The organization:
-a. Develops an incident response plan that:
-1. Provides the organization with a roadmap for implementing its incident response capability;
-2. Describes the structure and organization of the incident response capability;
-3. Provides a high-level approach for how the incident response capability fits into the overall organization;
-4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
-5. Defines reportable incidents;
-6. Provides metrics for measuring the incident response capability within the organization;
-7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
-8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
-8b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
-8c. Reviews the incident response plan [Assignment: organization-defined frequency];
-8d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
-8e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
-8f. Protects the incident response plan from unauthorized disclosure and modification.
+Cloud or Back-end;",IR-010,Incidence Response,The vendor shall have a documented incident response plan (IRP) in place which provides the carriers with a point of contact for components used within their telematics system,"NIST 800-53 r5 IR-8 - INCIDENT RESPONSE PLAN 
+a. Develop an incident response plan that:
+  1. Provides the organization with a roadmap for implementing its incident response capability;
+  2. Describes the structure and organization of the incident response capability;
+  3. Provides a high-level approach for how the incident response capability fits into the overall organization;
+  4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
+  5. Defines reportable incidents;
+  6. Provides metrics for measuring the incident response capability within the organization;
+  7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
+  8. Addresses the sharing of incident information;
+  9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and
+  10. Explicitly designates responsibility for incident response to [Assignment: organizationdefined entities, personnel, or roles].
+b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
+c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
+e. Protect the incident response plan from unauthorized disclosure and modification.

 FMCSA GDL 14 Employ an incident response process.","Inspection of vendor-supplied documentation detailing the vendor’s incident response process.

@@ -230,31 +215,21 @@ Ensure that it documents the methods that can be used to notify the vendor of a
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",M-010,Maintenance,The vendor shall have procedures in place to ensure that components outside of the carrier’s direct control are not updated or modified without prior coordination and approval by an organization-defined individual or role,"NIST 800-53 MA-2 – CONTROLLED MAINTENANCE 
-The organization:
-a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
-
-b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
-
-c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
-
-d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
-
-e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
-
-f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.","Inspection of vendor-supplied documentation detailing their maintenance/release process.
+Cloud or Back-end;",M-010,Maintenance,The vendor shall have procedures in place to ensure that components outside of the carrier’s direct control are not updated or modified without prior coordination and approval by an organization-defined individual or role,"NIST 800-53 r5 MA-2 – CONTROLLED MAINTENANCE 
+a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
+b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
+c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
+d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information];
+e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
+f. Include the following information in organizational maintenance records: [Assignment: organization-defined information].","Inspection of vendor-supplied documentation detailing their maintenance/release process.

 Ensure that there is a process where you (the carrier) are contacted and coordinated-with before the systems upon which you rely undergo maintenance procedures.",Medium,-,M-010 (Maintenance) - The vendor shall have procedures in place to ensure that components outside of the carrier’s direct control are not updated or modified without prior coordination and approval by an organization-defined individual or role,Yes,Yes,Yes,Yes
-Cloud or Back-end;,M-020,Maintenance,The vendor shall have procedures in place to test backup restoration processes of their own systems and their own facilities on at least an annual basis.,"NIST 800-53 CP-4 - CONTINGENCY PLAN TESTING 
-The organization:
-a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
-
-b. Reviews the contingency plan test results; and
-
-c. Initiates corrective actions, if needed.
-
-NIST 800-53 CP-9 (1) - SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY 
+Cloud or Back-end;,M-020,Maintenance,The vendor shall have procedures in place to test backup restoration processes of their own systems and their own facilities on at least an annual basis.,"NIST 800-53 r5 CP-4 - CONTINGENCY PLAN TESTING 
+a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
+b. Review the contingency plan test results; and
+c. Initiate corrective actions, if needed.

+NIST 800-53 r5 CP-9 (1) - SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY 
 Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

 CAIQ BCR-11.5 Do you test your backup or redundancy mechanisms at least annually?",Inspection of vendor-supplied documentation detailing backup and restore procedures.,High,TSPs must demonstrate this level of maturity to be trusted with business critical functions,M-020 (Maintenance) - The vendor shall have procedures in place to test backup restoration processes of their own systems and their own facilities on at least an annual basis.,No,No,No,Yes
@@ -265,38 +240,37 @@ Cloud or Back-end;,M-031,Disposal of Goods,"The vendor's disposal of goods polic

 NIST 800-88 R1",Inspection of vendor-supplied documentation detailing their disposal of goods procedures; confirm that disposal of systems in skips or landfills is not allowed unless the systems have been purged or cleared.,Medium,,"M-031 (Disposal of Goods) - The vendor's disposal of goods policy must forbid disposal in skips, dumps or landfills until it has been processed to purge or clear previously stored information.",No,No,No,Yes
 Cloud or Back-end;,M-032,Disposal of Goods,"The vendor's processes to remove previously stored information must include acceptable processes for magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and deskstop computers.",NIST 800-88 R1 Appendix A -- Minimum Sanitization Recommendations,"Inspection of vendor-supplied documentation detailing their disposal of goods procedures; confirm that there are procedures that cover all of magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and desktop computers",Low,,"M-032 (Disposal of Goods) - The vendor's processes to remove previously stored information must include acceptable processes for magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and deskstop computers.",No,No,No,Yes
-Cloud or Back-end;,P-010,Planning,The vendor shall have a System Security Plan (SSP) which details a clear and concise understanding of authorization boundaries of the telematics system.,"NIST 800-53 PL-2 - SECURITY AND PRIVACY PLANS 
-The organization:
-a. Develops a security plan for the information system that:
-1. Is consistent with the organization's enterprise architecture;
-2. Explicitly defines the authorization boundary for the system;
-3. Describes the operational context of the information system in terms of missions and business processes;
-4. Provides the security categorization of the information system including supporting rationale;
-5. Describes the operational environment for the information system and relationships with or connections to other information systems;
-6. Provides an overview of the security requirements for the system;
-7. Identifies any relevant overlays, if applicable;
-8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
-9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
-
-b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
-
-c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
-
-d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
-
-e. Protects the security plan from unauthorized disclosure and modification.","Inspection of vendor-supplied SSP document that details the authorization boundaries of telematics system.
+Cloud or Back-end;,P-010,Planning,The vendor shall have a System Security Plan (SSP) which details a clear and concise understanding of authorization boundaries of the telematics system.,"NIST 800-53 r5 PL-2 - SECURITY AND PRIVACY PLANS 
+a. Develop security and privacy plans for the system that:
+  1. Are consistent with the organization’s enterprise architecture;
+  2. Explicitly define the constituent system components;
+  3. Describe the operational context of the system in terms of mission and business processes;
+  4. Identify the individuals that fulfill system roles and responsibilities;
+  5. Identify the information types processed, stored, and transmitted by the system;
+  6. Provide the security categorization of the system, including supporting rationale;
+  7. Describe any specific threats to the system that are of concern to the organization;
+  8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
+  9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
+  10. Provide an overview of the security and privacy requirements for the system;
+  11. Identify any relevant control baselines or overlays, if applicable;
+  12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
+  13. Include risk determinations for security and privacy architecture and design decisions;
+  14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
+  15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
+c. Review the plans [Assignment: organization-defined frequency];
+d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
+e. Protect the plans from unauthorized disclosure and modification.","Inspection of vendor-supplied SSP document that details the authorization boundaries of telematics system.

 Ensure that the document details which entity has responsibility for each component of the system, the system baseline and security posture within the boundaries.",Medium,-,P-010 (Planning) - The vendor shall have a System Security Plan (SSP) which details a clear and concise understanding of authorization boundaries of the telematics system.,No,No,No,Yes
-Cloud or Back-end;,P-020,Planning,The vendor shall have a documented Information Security Architecture (ISA) for the telematics system.  ,"NIST 800-53 PL-8 - SECURITY AND PRIVACY ARCHITECTURES 
-The organization:
-a. Develops an information security architecture for the information system that:
-1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
-2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
-3. Describes any information security assumptions about, and dependencies on, external services;
-
-b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
-
-c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.","·         Inspection of vendor-supplied ISA documentation.
+Cloud or Back-end;,P-020,Planning,The vendor shall have a documented Information Security Architecture (ISA) for the telematics system.  ,"NIST 800-53 r5 PL-8 - SECURITY AND PRIVACY ARCHITECTURES 
+a. Develop security and privacy architectures for the system that:
+  1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+  2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+  3. Describe how the architectures are integrated into and support the enterprise architecture; and
+  4. Describe any assumptions about, and dependencies on, external systems and services;
+b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
+c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.","·         Inspection of vendor-supplied ISA documentation.

 Ensure that the ISA document at a minimum includes:
 Approach to confidentiality, integrity, and availability protections
@@ -312,57 +286,51 @@ Ensure that your (carrier) systems can failover to other providers with the same
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",PS-010,Personnel Security,"The vendor shall have personnel security policies & procedures, position risk categorization, personnel screening, personnel termination, personnel transfer, access agreements and third-party personnel security.","NIST 800-53 PS-1 - PERSONNEL SECURITY POLICY AND PROCEDURES 
-The organization:
-a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
-1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
-
-b. Reviews and updates the current:
-1. Personnel security policy [Assignment: organization-defined frequency]; and
-2. Personnel security procedures [Assignment: organization-defined frequency].
-
-NIST 800-53 PS-7 - EXTERNAL PERSONNEL SECURITY 
-The organization:
-a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
-
-b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
-
-c. Documents personnel security requirements;
-
-d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
-
-e. Monitors provider compliance.",Inspection of vendor-supplied documents detailing their personal security policies & procedures.,Medium,-,"PS-010 (Personnel Security) - The vendor shall have personnel security policies & procedures, position risk categorization, personnel screening, personnel termination, personnel transfer, access agreements and third-party personnel security.",Yes,Yes,Yes,Yes
+Cloud or Back-end;",PS-010,Personnel Security,"The vendor shall have personnel security policies & procedures, position risk categorization, personnel screening, personnel termination, personnel transfer, access agreements and third-party personnel security.","NIST 800-53 r5 PS-1 - POLICY AND PROCEDURES 
+a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
+  1. [Selection (one or more): Organization-level; Mission/business process-level; Systemlevel] personnel security policy that:
+    (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
+    (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
+  2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;
+b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
+c. Review and update the current personnel security:
+  1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
+  2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
+
+NIST 800-53 r5 PS-7 - EXTERNAL PERSONNEL SECURITY 
+a. Establish personnel security requirements, including security roles and responsibilities for external providers;
+b. Require external providers to comply with personnel security policies and procedures established by the organization;
+c. Document personnel security requirements;
+d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organizationdefined time period]; and
+e. Monitor provider compliance with personnel security requirements.",Inspection of vendor-supplied documents detailing their personal security policies & procedures.,Medium,-,"PS-010 (Personnel Security) - The vendor shall have personnel security policies & procedures, position risk categorization, personnel screening, personnel termination, personnel transfer, access agreements and third-party personnel security.",Yes,Yes,Yes,Yes
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",RA-010,Risk Assessment,Vendor shall have risk assessments conducted at an industry accepted rate. Resulting risk assessment documentation should include all components and the overall system that is within the vendor's control. The rate suggested is twice per product release; both at product design and at integration phases,"NIST 800-53 RA-3 – RISK ASSESSMENT 
-The organization:
-a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
-
-b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
-
-c. Reviews risk assessment results [Assignment: organization-defined frequency];
-
-d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
-
-e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
+Cloud or Back-end;",RA-010,Risk Assessment,Vendor shall have risk assessments conducted at an industry accepted rate. Resulting risk assessment documentation should include all components and the overall system that is within the vendor's control. The rate suggested is twice per product release; both at product design and at integration phases,"NIST 800-53 r5 RA-3 – RISK ASSESSMENT 
+a. Conduct a risk assessment, including:
+  1. Identifying threats to and vulnerabilities in the system;
+  2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
+  3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
+c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];
+d. Review risk assessment results [Assignment: organization-defined frequency];
+e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
+f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

 FMCSA GDL 1 Conduct architectural analysis and/or threat modeling during system design",Inspection of vendor-supplied documentation stating their previous and planned risk assessment dates and detailing the documentation requirements of their risk assessments.,Medium,-,RA-010 (Risk Assessment) - Vendor shall have risk assessments conducted at an industry accepted rate. Resulting risk assessment documentation should include all components and the overall system that is within the vendor's control. The rate suggested is twice per product release; both at product design and at integration phases,Yes,Yes,Yes,Yes
 "Mobile App
 Physical In-Cab Device
 Connectivity/Communications
-Cloud or Back-end",RA-020,Risk Assessment,The vendor shall use the results of risk assessments to influence systems development and processes.,"NIST 800-53 RA-3 – RISK ASSESSMENT 
-The organization:
-a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
-
-b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
-
-c. Reviews risk assessment results [Assignment: organization-defined frequency];
-
-d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
-
-e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
+Cloud or Back-end",RA-020,Risk Assessment,The vendor shall use the results of risk assessments to influence systems development and processes.,"NIST 800-53 r5 RA-3 – RISK ASSESSMENT 
+a. Conduct a risk assessment, including:
+  1. Identifying threats to and vulnerabilities in the system;
+  2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
+  3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
+c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];
+d. Review risk assessment results [Assignment: organization-defined frequency];
+e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
+f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

 CAIQ GRM-08.1 Do risk assessment results include updates to security policies, procedures, standards, and controls to ensure they remain relevant and effective?

@@ -370,41 +338,40 @@ FMCSA GDL 1 Conduct architectural analysis and/or threat modeling during system
 "Mobile App;
 Physical In-Cab Device;
 Connectivity/Communications;
-Cloud or Back-end;",SAA-010,Security Management,The vendor shall have an Information Security Management Plan (ISMP).,"NIST 800-53 CA-2 - ASSESSMENTS 
-The organization:
-a. Develops a security assessment plan that describes the scope of the assessment including:
-1. Security controls and control enhancements under assessment;
-2. Assessment procedures to be used to determine security control effectiveness; and
-3. Assessment environment, assessment team, and assessment roles and responsibilities;
-
-b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
-
-c. Produces a security assessment report that documents the results of the assessment; and
-
-d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
-
-NIST 800-53 CA-5 - PLAN OF ACTION AND MILESTONES 
-The organization:
-a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
-
-b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
-
-NIST 800-53 CA-6 - SECURITY AUTHORIZATION 
-The organization:
-a. Assigns a senior-level executive or manager as the authorizing official for the information system;
-b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
-c. Updates the security authorization [Assignment: organization-defined frequency].
-
-NIST 800-53 CP-1 - CONTINGENCY PLANNING POLICY AND PROCEDURES 
-The organization:
-a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
-1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-
-2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
-
-b. Reviews and updates the current:
-1. Contingency planning policy [Assignment: organization-defined frequency]; and
-2. Contingency planning procedures [Assignment: organization-defined frequency].
+Cloud or Back-end;",SAA-010,Security Management,The vendor shall have an Information Security Management Plan (ISMP).,"NIST 800-53 r5 CA-2 - CONTROL ASSESSMENTS 
+a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
+b. Develop a control assessment plan that describes the scope of the assessment including:
+  1. Controls and control enhancements under assessment;
+  2. Assessment procedures to be used to determine control effectiveness; and
+  3. Assessment environment, assessment team, and assessment roles and responsibilities;
+c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
+e. Produce a control assessment report that document the results of the assessment; and
+f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
+
+NIST 800-53 r5 CA-5 - PLAN OF ACTION AND MILESTONES 
+a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
+b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
+
+NIST 800-53 r5 CA-6 - AUTHORIZATION 
+a. Assign a senior official as the authorizing official for the system;
+b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
+c. Ensure that the authorizing official for the system, before commencing operations:
+  1. Accepts the use of common controls inherited by the system; and
+  2. Authorizes the system to operate;
+d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+e. Update the authorizations [Assignment: organization-defined frequency].
+
+NIST 800-53 r5 CP-1 - POLICY AND PROCEDURES
+a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
+  1. [Selection (one or more): Organization-level; Mission/business process-level; Systemlevel] contingency planning policy that:
+    (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
+    (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
+  2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
+b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
+c. Review and update the current contingency planning:
+  1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
+  2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

 CAIQ GRM-04.1 Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?

@@ -424,9 +391,8 @@ Cloud or Back-end;",SAA-020,Security Assessment and Authorization,"The vendor sh

 Penetration testing can be performed by teams internal to the TSP; industry best practice is to have external pentesting performed periodically also.","NIST 800-115 Technical Guide to Information Security Testing and Assessment – All sections

-NIST 800-53 CA-8 – PENETRATION TESTING 
-
-The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].
+NIST 800-53 r5 CA-8 – PENETRATION TESTING 
+Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].

 CAIQ AIS-01.5 Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

@@ -443,34 +409,30 @@ Penetration testing can be performed by teams internal to the TSP; industry best
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SAA-030,System and Service Acquisition,"Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.","NIST 800-53 SA-11 – DEVELOPER TESTING AND EVALUATION
-The organization requires the developer of the information system, system component, or information system service to:
-a. Create and implement a security assessment plan;
-
-b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
-
-c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
-
+",SAA-030,System and Service Acquisition,"Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.","NIST 800-53 r5 SA-11 – DEVELOPER TESTING AND EVALUATION
+Require the developer of the system, system component, or system service, at all postdesign stages of the system development life cycle, to:
+a. Develop and implement a plan for ongoing security and privacy control assessments;
+b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
+c. Produce evidence of the execution of the assessment plan and the results of the testing and
+evaluation;
 d. Implement a verifiable flaw remediation process; and
-
-e. Correct flaws identified during security testing/evaluation.","Inspection of vendor-supplied documentation detailing their product release and quality controls.
+e. Correct flaws identified during testing and evaluation.","Inspection of vendor-supplied documentation detailing their product release and quality controls.

 Ensure that the product release process includes ST&E steps and that these feed-back into product development.",Medium,-,"SAA-030 (System and Service Acquisition) - Vendor shall have Security Testing and Evaluation (ST&E) of the system and/or components that includes all results of the security testing and evaluation, including discovered vulnerabilities and a plan/process to mitigate discovered vulnerabilities or weaknesses in the system.",Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SAA-040,System and Service Acquisition,The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,"NIST 800-53 SA-12 (2) - SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS
-The organization conducts a supplier review prior to entering into a contractual agreement to
-acquire the information system, system component, or information system service. 
+",SAA-040,System and Service Acquisition,The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,"NIST 800-53 r5 SR-6 - SUPPLIER ASSESSMENTS AND REVIEWS
+Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

 FMCSA GDL 6 Perform your own security due diligence, which involves but is not limited to ensuring that third-party devices in the supply chain meet your basic security requirements.",Inspection of vendor documentation detailing supplier review and acceptance processes and criteria.,Low,-,SAA-040 (System and Service Acquisition) - The vendor shall perform due diligence to ensure its suppliers also meet the vendor's security requirements,Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SCP-010,Protecting Communications paths for systems,Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,"NIST 800-53 SC-8 (1) - TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION 
-The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
+",SCP-010,Protecting Communications paths for systems,Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,"NIST 800-53 r5 SC-8 (1) - TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION 
+Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.

 FMCSA GDL 46 Use encryption on all wireless communication interfaces

@@ -489,14 +451,14 @@ Cloud or Back-end;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SCP-020,Protecting Data on Devices,"Measures will be taken by vendors to protect the confidentiality of any information at rest on the devices that could be interpreted as Sensitive and/or Personally Identifiable Information. This sensitive information is defined in SCP-030 where ‘at rest’ is understood to mean any state where the data is in a non-volatile storage medium, e.g. eMMC not RAM.","NIST 800-53 SC-28 - PROTECTION OF INFORMATION AT REST
-The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
+",SCP-020,Protecting Data on Devices,"Measures will be taken by vendors to protect the confidentiality of any information at rest on the devices that could be interpreted as Sensitive and/or Personally Identifiable Information. This sensitive information is defined in SCP-030 where ‘at rest’ is understood to mean any state where the data is in a non-volatile storage medium, e.g. eMMC not RAM.","NIST 800-53 r5 SC-28 - PROTECTION OF INFORMATION AT REST
+Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].

-NIST 800-53 SC-28 (1) - PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION 
-The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. 
+NIST 800-53 r5 SC-28 (1) - PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION 
+Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].

-NIST 800-53 SC-28 (2) - PROTECTION OF INFORMATION AT REST | OFF-LINE STORAGE 
-The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines
+NIST 800-53 r5 SC-28 (2) - PROTECTION OF INFORMATION AT REST | OFFLINE STORAGE 
+Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines

 e.g. this applies also to apps on mobile where data is cached until it can be synced to other vehicle-connected devices. This data must be encrypted as per this requirement.

@@ -522,17 +484,17 @@ Public information is any information that is visible (externally or internally)

-","NIST 800-53 SC-12 - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 
-The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
+","NIST 800-53 r5 SC-12 - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 
+Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

-NIST 800-53 SC-12 (1) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY 
-The organization maintains availability of information in the event of the loss of cryptographic keys by users.
+NIST 800-53 r5 SC-12 (1) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY 
+Maintain availability of information in the event of the loss of cryptographic keys by users.

-NIST 800-53 SC-12 (2) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS 
-The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
+NIST 800-53 r5 SC-12 (2) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS 
+Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPSvalidated; NSA-approved] key management technology and processes.

-NIST 800-53 SC-12 (3) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS 
-The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key].
+NIST 800-53 r5 SC-12 (3) - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS 
+Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSAapproved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD approved or DoDissued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements].

 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation","Inspection of vendor documentation detailing the inputs to the cryptographic key generation process per device. Ensure that no input is information that can be easily-guessed from simple facts about the device.

@@ -547,20 +509,20 @@ Public information is any information that is visible (externally or internally)

 ",Yes,Yes,Yes,Yes
 "Cloud or Back-end;
-",SCP-050,Protecting Data in the Backend,All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,"NIST 800-53 SC-4 - INFORMATION IN SHARED SYSTEM RESOURCES
-The information system prevents unauthorized and unintended information transfer via shared system resources. 
+",SCP-050,Protecting Data in the Backend,All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,"NIST 800-53 r5 SC-4 - INFORMATION IN SHARED SYSTEM RESOURCES
+Prevent unauthorized and unintended information transfer via shared system resources.

-NIST 800-53 SC-4 (2) - INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING 
-The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
+NIST 800-53 r5 SC-4 (2) - INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING 
+Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.

 CAIQ AAC-03.1 Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?",Inspection of vendor-supplied design documentation or a demonstration by the vendor that details  backend data storage and access. Ensure that either design aspects such as storage instances are per-customer or the cryptographic confidentiality protections are used to ensure one customer instance cannot read data from another. NB: Some or multiple may apply.,High,Otherwise could cause PII breaches and incur strong penalties,SCP-050 (Protecting Data in the Backend) - All customer-related data will be logically segmented (e.g. encrypted with segmented keys) such that it is possible to produce all data related to one customer without inadvertently exposing any data of any others.,No,No,No,Yes
 "Vehicle Connection;
 Connectivity/Communications;
-",SCP-060,Protecting Vehicle Network Escalation from Devices,The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,"NIST 800-53 SI-10 – INPUT INFORMATION VALIDATION
-The information system checks the validity of [Assignment: organization-defined information inputs].
+",SCP-060,Protecting Vehicle Network Escalation from Devices,The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.,"NIST 800-53 r5 SI-10 – INFORMATION INPUT VALIDATION
+Check the validity of the following information inputs: [Assignment: organizationdefined information inputs to the system].

-NIST 800-53 SC-7 (21) - (21) BOUNDARY PROTECTION | ISOLATION OF SYSTEM COMPONENTS 
-The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
+NIST 800-53 r5 SC-7 (21) - BOUNDARY PROTECTION | ISOLATION OF SYSTEM COMPONENTS 
+Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].

 FMCSA GDL 27 Limit telematics units' access to the CAN bus, and whitelist the CAN messages they can send

@@ -576,17 +538,17 @@ Sessions must be randomized and uniquely identified.

 Protections must be implemented to restrict certificate authorities to a short (maximum 3) list of those expected by the vendor, i.e. secure communications must implement certificate pinning to a short whitelist of certificate authorities.

-Certificate pinning shall be implemented on all telematics device to server communications (e.g. telematics gateways or IVGs). Administrative ‘backend’ systems may be exempt from this requirement to allow for stream inspection by enterprise intrusion detection systems.","NIST 800-53 SC-23 – SESSION AUTHENTICITY 
-The information system protects the authenticity of communications sessions.
+Certificate pinning shall be implemented on all telematics device to server communications (e.g. telematics gateways or IVGs). Administrative ‘backend’ systems may be exempt from this requirement to allow for stream inspection by enterprise intrusion detection systems.","NIST 800-53 r5 SC-23 – SESSION AUTHENTICITY 
+Protect the authenticity of communications sessions.

-NIST 800-53 SC-23 (1) - SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT 
-The information system invalidates session identifiers upon user logout or other session termination.
+NIST 800-53 r5 SC-23 (1) - SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT 
+Invalidate session identifiers upon user logout or other session termination.

-NIST 800-53 SC-23 (3) - SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION 
-The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.
+NIST 800-53 r5 SC-23 (3) - SESSION AUTHENTICITY | UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS 
+Generate a unique session identifier for each session with [Assignment: organizationdefined randomness requirements] and recognize only session identifiers that are systemgenerated.

-NIST 800-53 SC-23 (5) - SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES 
-The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
+NIST 800-53 r5 SC-23 (5) - SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES 
+Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

 CAIQ DSI-03.2 Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?

@@ -594,7 +556,7 @@ CTIA ICCTP 4.8 Encryption of Data in Transit","Inspection of vendor-supplied doc

 Ensure that certificate pinning is in use in communication path between telematics device and vendor’s infrastructure.

-Ensure compliance with NIST 800-53 control SC-23.",High,"Confidentiality and integrity of communication underpins the security of the system
+Ensure compliance with NIST 800-53 r5 control SC-23.",High,"Confidentiality and integrity of communication underpins the security of the system

 Certificate pinning in clients -- when combined with the other requirement for e.g. fail-over – could result in extra complications and so functional testing of fail over should be performed.
 ","SCP-090 (System and Communication Protocols) - The vendor's system shall implement protection of communications sessions against attacks including session hijacking and traffic manipulation. Where a session is understood to mean a time-limited autenticated login with the clound/back-end.
@@ -613,9 +575,11 @@ Cloud or Back-end;

 [GDL 52] Ensure the ability to remove a Root CA’s certificate.","Test that root certificate trust can be removed. This should result in failure to establish communications or a failure to validate updates, depending on which system is being tested.",Medium,,SCP-091 (System and Communication Protocols) - The vendor shall implement checks for expired certificates and ensure the ability to remove trust in any given root certificate authority from their systems and devices PKI implementations.,Yes,No,Yes,Yes
 "Vehicle Connection;
-",SCP-100,System and Communication Protocols,The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),"NIST 800-53 SC-39 - PROCESS ISOLATION The information system maintains a separate execution domain for each executing process.
+",SCP-100,System and Communication Protocols,The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),"NIST 800-53 r5 SC-39 - PROCESS ISOLATION 
+Maintain a separate execution domain for each executing system process.

-NIST 800-53 SC-39 (2) - PROCESS ISOLATION | THREAD ISOLATION The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].",Inspection of vendor-supplied documentation detailing the software architecture.,Medium,-,SCP-100 (System and Communication Protocols) - The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),No,Yes,No,No
+NIST 800-53 r5 SC-39 (2) - PROCESS ISOLATION | SEPARATE EXECUTION DOMAIN PER THREAD
+Maintain a separate execution domain for each thread in [Assignment: organizationdefined multi-threaded processing].",Inspection of vendor-supplied documentation detailing the software architecture.,Medium,-,SCP-100 (System and Communication Protocols) - The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),No,Yes,No,No
 "Cloud or Back-end;
 ",SCP-110,System and Communication Protocols,The vendor’s system shall provide a means to download unstructured customer data in an industry-standard format (Open Telematics API). This download will occur over secured communication protocols.,"CAIQ IPY-02.1 Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)?","Inspection of vendor-supplied documentation detailing the interfaces (APIs) offered by the vendor.

@@ -649,18 +613,14 @@ Connectivity/Communications;
 Cloud or Back-end;
 ",SII-010,Protecting Firmware on Devices,"The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.

-In the case of telematics devices, firmware update capabilities are important to be able to remediate all flaws that could be located in the device.","NIST 800-53 SI-2 - FLAW REMEDIATION
-The organization:
-a. Identifies, reports, and corrects information system flaws;
+In the case of telematics devices, firmware update capabilities are important to be able to remediate all flaws that could be located in the device.","NIST 800-53 r5 SI-2 - FLAW REMEDIATION
+a. Identify, report, and correct system flaws;
+b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
+c. Install security-relevant software and firmware updates within [Assignment: organizationdefined time period] of the release of the updates; and
+d. Incorporate flaw remediation into the organizational configuration management process.

-b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
-
-c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
-
-d. Incorporates flaw remediation into the organizational configuration management process. 
-
-NIST 800-53 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
-The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].","Inspection of vendor-supplied documentation detailing their flaw remediation process for backend systems.
+NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
+Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].","Inspection of vendor-supplied documentation detailing their flaw remediation process for backend systems.

 Inspection of vendor-supplied documentation detailing the distribution and installation of new firmware, taking note of any responsibilities the carrier has. Ideally, firmware upgrades should require minimal effort on part of the carrier and automated by the vendor.",High, This is a leniently-worded requirement that a process to update device firmware exists,"SII-010 (Protecting Firmware on Devices) - The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.

@@ -685,18 +645,14 @@ If this facility is not in motor freight carrier control; then inspection of a r
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-020,Protecting Firmware on Devices,"The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.","NIST 800-53 SI-2 - FLAW REMEDIATION
-The organization:
-a. Identifies, reports, and corrects information system flaws;
-
-b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
-
-c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
+",SII-020,Protecting Firmware on Devices,"The vendor shall have a capability to mitigate vulnerabilities across all of the telematics devices, backend applications, and systems. Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified.","NIST 800-53 r5 SI-2 - FLAW REMEDIATION
+a. Identify, report, and correct system flaws;
+b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
+c. Install security-relevant software and firmware updates within [Assignment: organizationdefined time period] of the release of the updates; and
+d. Incorporate flaw remediation into the organizational configuration management process.

-d. Incorporates flaw remediation into the organizational configuration management process. 
-
-NIST 800-53 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
-The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
+NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
+Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].

 CAIQ TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

@@ -711,14 +667,12 @@ Connectivity/Communications;
 Cloud or Back-end;
 ",SII-021,Protecting Firmware on Devices," Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.

-Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.","NIST 800-53 SI-2 - FLAW REMEDIATION
-The organization:
-a. Identifies, reports, and corrects information system flaws;
-
+Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.","NIST 800-53 r5 SI-2 - FLAW REMEDIATION
+a. Identify, report, and correct system flaws;
 b. [...]

-NIST 800-53 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
-The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
+NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
+Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].

 CAIQ TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

@@ -732,17 +686,15 @@ Vendors shall provide a document that defines vulnerabilities severities (e.g. C
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
-",SII-030,Protecting Firmware on Devices,The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,"NIST 800-53 SI-3 - MALICIOUS CODE PROTECTION
-The organization:
-a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
-
+",SII-030,Protecting Firmware on Devices,The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,"NIST 800-53 r5 SI-3 - MALICIOUS CODE PROTECTION
+a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
 b. [...]

-NIST 800-53 SI-7 (1) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS [...]
+NIST 800-53 r5 SI-7 (1) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS [...]

-NIST 800-53 SI-7 (6) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION [...]
+NIST 800-53 r5 SI-7 (6) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION [...]

-NIST 800-53 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION  [...]
+NIST 800-53 r5 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION  [...]

 CAIQ CCC-04.1 Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

@@ -751,36 +703,36 @@ CTIA ICCTP 3.6 Software Upgrades CTIA ICCTP 5.6 Software Upgrades
 FMCSA GDL 30 If the device can be updated from local media (USB, SD cards, etc.), make sure the updates are digitally-signed and authorization is required",Inspection of vendor documentation demonstrating that only cryptographically signed software is allowed to be executed/run on telematics devices. Ensure that signature verification is performed before load/execute/run and not solely at time of installation.,Medium,Note may just want to make this one vendor shall utilize digitally signed firmware,SII-030 (Protecting Firmware on Devices) - The vendor shall use digitally signed software on telematics devices and prohibit execution of unsigned or invalidly signed software.,Yes,Yes,Yes,No
 "Vehicle Connection;
 Connectivity/Communications;
-",SII-040,Protecting Firmware on Devices,The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,"NIST 800-53 SI-7 (5) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS 
-The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.
+",SII-040,Protecting Firmware on Devices,The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,"NIST 800-53 r5 SI-7 (5) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS 
+Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered.

-NIST 800-53 SI-7 (6) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION 
-The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
+NIST 800-53 r5 SI-7 (6) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION 
+Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

-NIST 800-53 SI-7 (9) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS 
-The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
+NIST 800-53 r5 SI-7 (9) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS 
+Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components].

-NIST 800-53 SI-7 (10) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | PROTECTION OF BOOT FIRMWARE 
-The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
+NIST 800-53 r5 SI-7 (10) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | PROTECTION OF BOOT FIRMWARE 
+Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organizationdefined mechanisms].

-NIST 800-53 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION 
-The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.",Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the integrity of the boot process.The cryptographic protections must employ asymmetric industry standard algorithms. (rationale: cryptography must be validated by experts in the subject),High,Secure boot underpins the access control which protects the vehicle networks,SII-040 (Protecting Firmware on Devices) - The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,No,Yes,Yes,No
+NIST 800-53 r5 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION 
+Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].",Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the integrity of the boot process.The cryptographic protections must employ asymmetric industry standard algorithms. (rationale: cryptography must be validated by experts in the subject),High,Secure boot underpins the access control which protects the vehicle networks,SII-040 (Protecting Firmware on Devices) - The vendor shall utilize a boot verification process built with (asymmetric) cryptographic digital signatures and implemented such that the public key used for verification or the hash of the public key used for verification is protected from being tampered on the device.,No,Yes,Yes,No
 "Vehicle Connection;
 Connectivity/Communications;
-",SII-060,Protecting Firmware on Devices,The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,"NIST 800-53 SI-7 (12) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION 
-The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.
+",SII-060,Protecting Firmware on Devices,The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,"NIST 800-53 r5 SI-7 (12) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION 
+Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software].

-NIST 800-53 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION 
-The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
+NIST 800-53 r5 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION 
+Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].

-NIST 800-53 SC-3 - SECURITY FUNCTION ISOLATION
-The information system isolates security functions from nonsecurity functions.",Inspection of vendor documentation detailing the process of verifying the firmware on a device. Ensure that these steps can be executed by your (carrier) staff to gain your own assurance of device firmware state.,Low,Is a rare feature to find deployed and is nice-to-have over and above secure boot,SII-060 (Protecting Firmware on Devices) - The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,No,Yes,Yes,No
+NIST 800-53 r5 SC-3 - SECURITY FUNCTION ISOLATION
+Isolate security functions from nonsecurity functions",Inspection of vendor documentation detailing the process of verifying the firmware on a device. Ensure that these steps can be executed by your (carrier) staff to gain your own assurance of device firmware state.,Low,Is a rare feature to find deployed and is nice-to-have over and above secure boot,SII-060 (Protecting Firmware on Devices) - The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,No,Yes,Yes,No
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-070,Protecting Firmware on Devices,"The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.","NIST 800-53 SI-16 – MEMORY PROTECTION 
-The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
+",SII-070,Protecting Firmware on Devices,"The vendor shall utilize an array of code safety features across the entire collection of executables in its devices: ASLR, DEP, CFI, Stack Guards, Fortification, and RELRO. Unless that code safety feature is not applicable on the system architecture, in which case it should be noted.","NIST 800-53 r5 SI-16 – MEMORY PROTECTION 
+Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls].

 Cyber ITL Methodology – Safety Features

@@ -797,11 +749,11 @@ Cloud or Back-end;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-080,Protecting Firmware on Devices,The vendor shall design security components that fail-secure to protect integrity of systems and data.,"NIST 800-53 SI-17 - FAIL-SAFE PROCEDURES 
-The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].
+",SII-080,Protecting Firmware on Devices,The vendor shall design security components that fail-secure to protect integrity of systems and data.,"NIST 800-53 r5 SI-17 - FAIL-SAFE PROCEDURES 
+Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures].

-NIST 800-53 SC-24 – FAIL IN KNOWN STATE
-The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.
+NIST 800-53 r5 SC-24 – FAIL IN KNOWN STATE
+Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization defined types of system failures on organization-defined system components].

 CTIA ICCTP 5.17 Design-In Features “Fail Secure”

@@ -810,26 +762,21 @@ FMCSA GDL 4 Security problems will happen; fail safely",Inspection of vendor doc
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-081,Protecting Firmware on Devices,The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,"NIST 800-53 SI-3 - MALICIOUS CODE PROTECTION
-The organization:
-a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
-
-b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
-
-c. Configures malicious code protection mechanisms to:
-1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
-2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
-
-d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.",Inspection of vendor documentation detailing the operation of software protections for prevent the runtime modification of code.,Low, Not well defined enough to make this of critical importance to TSPs or carriers,SII-081 (Protecting Firmware on Devices) - The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,Yes,Yes,Yes,Yes
+",SII-081,Protecting Firmware on Devices,The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,"NIST 800-53 r5 SI-3 - MALICIOUS CODE PROTECTION
+a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
+b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
+c. Configure malicious code protection mechanisms to:
+  1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
+  2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organizationdefined personnel or roles] in response to malicious code detection; and
+d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.",Inspection of vendor documentation detailing the operation of software protections for prevent the runtime modification of code.,Low, Not well defined enough to make this of critical importance to TSPs or carriers,SII-081 (Protecting Firmware on Devices) - The vendor shall utilize protective mechanisms to protect components from unauthorized runtime/volatile modification of code.,Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
 ",SII-090,Vulnerability Management,"The vendor shall maintain a responsible disclosure program that allows for vulnerabilities discovered in the system (device, mobile app or backend) by researchers, and other external entities to be reported, tracked and mitigated. 

-Vulnerability programs should include sufficient legal provisions to provide for a “Legal Safe Harbor” for researchers.","NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
-The organization:
-a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
+Vulnerability programs should include sufficient legal provisions to provide for a “Legal Safe Harbor” for researchers.","NIST 800-53 r5 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
+a. Receive system security alerts, advisories, and directives from [Assignment: organizationdefined external organizations] on an ongoing basis;
 [...]

 ISA/IEC  29147:2014 (Information technology -- Security techniques -- Vulnerability Disclosure) 
@@ -852,9 +799,8 @@ Demonstration, by vendor, of an active security@[vendor domain] email, that will

 Vulnerability programs should include sufficient legal provisions to provide for a “Legal Safe Harbor” for researchers.",Yes,Yes,Yes,Yes
 "Cloud or Back-end;
-",SII-100,Incident Response,The vendor must monitor information systems for attack and unauthorized access including employing automated analysis tools,"NIST 800-53 SI-4 – SYSTEM MONITORING 
-The organization:
-a. Monitors the information system to detect: […]
+",SII-100,Incident Response,The vendor must monitor information systems for attack and unauthorized access including employing automated analysis tools,"NIST 800-53 r5 SI-4 – SYSTEM MONITORING 
+a. Monitor the system to detect: […]

 FMCSA GDL 28 Enable security monitoring of the telematics system(s) using native tools.",Inspection of vendor-supplied documentation which asserts the use and active monitoring of their systems for intrusion.,High," Regardless of how secure a system might be it will eventually be breached; therefore monitoring is of high criticality

@@ -864,20 +810,16 @@ Cloud or Back-end;
 ",SII-110,Vulnerability Management,"The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs. 

-","NIST 800-53 RA-5 – VULNERABILITY SCANNING 
-The organization:
-a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
-
-b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
-1. Enumerating platforms, software flaws, and improper configurations;
-2. Formatting checklists and test procedures; and
-3. Measuring vulnerability impact;
-
-c. Analyzes vulnerability scan reports and results from security control assessments;
-
-d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
-
-e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).","Inspection of vendor-supplied documents stating the frequency, method, and scope of vulnerability scans.",Medium,-,"SII-110 (Vulnerability Management) - The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs. 
+","NIST 800-53 r5 RA-5 – VULNERABILITY MONITORING AND SCANNING
+a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
+b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
+  1. Enumerating platforms, software flaws, and improper configurations;
+  2. Formatting checklists and test procedures; and
+  3. Measuring vulnerability impact;
+c. Analyze vulnerability scan reports and results from vulnerability monitoring;
+d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
+e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
+f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.","Inspection of vendor-supplied documents stating the frequency, method, and scope of vulnerability scans.",Medium,-,"SII-110 (Vulnerability Management) - The vendor conducts regular vulnerability scans of operating environment to verify software components in use have been patched according to remediation SLAs. 

 ",No,No,Yes,Yes
@@ -885,18 +827,14 @@ e. Shares information obtained from the vulnerability scanning process and secur
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-120,Vulnerability Management,The vendor shall have a vulnerability management process that includes steps to triage any found vulnerabilities and plan remediation.,"NIST 800-53 SI-2 - FLAW REMEDIATION 
-The organization:
-a. Identifies, reports, and corrects information system flaws;
+",SII-120,Vulnerability Management,The vendor shall have a vulnerability management process that includes steps to triage any found vulnerabilities and plan remediation.,"NIST 800-53 r5 SI-2 - FLAW REMEDIATION 
+a. Identify, report, and correct system flaws;
+b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
+c. Install security-relevant software and firmware updates within [Assignment: organizationdefined time period] of the release of the updates; and
+d. Incorporate flaw remediation into the organizational configuration management process.

-b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
-
-c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
-
-d. Incorporates flaw remediation into the organizational configuration management process.
-
-NIST 800-53 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
-The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].
+NIST 800-53 r5 SI-2 (5) - FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES 
+Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].

 CAIQ CCC-03.3 Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?

@@ -912,11 +850,11 @@ Static Code Analysis / Static Application Security Testing (SCA/SAST)
 Dependency Scanning for known vulnerabilities in third party components 

-","NIST 800-53 SA-11 (1) - DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS 
+","NIST 800-53 r5 SA-11 (1) - DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS 
 Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

-NIST 800-53 SA-11 (7) - DEVELOPER TESTING AND EVALUATION | VERIFY SCOPE OF TESTING AND EVALUATION 
-The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].
+NIST 800-53 r5 SA-11 (7) - DEVELOPER TESTING AND EVALUATION | VERIFY SCOPE OF TESTING AND EVALUATION 
+Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].

 FMCSA GDL 2 Follow secure coding best practices.","Inspection of vendor-supplied documentation detailing their release process and quality controls.

@@ -932,60 +870,47 @@ Dependency Scanning for known vulnerabilities in third party components
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-140,Vulnerability Management,The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,"NIST 800-53 SI-3 – MALICIOUS CODE PROTECTION 
-The organization:
-a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
-
-b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
-
-c. Configures malicious code protection mechanisms to:
-1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
-2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
-
-d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
+",SII-140,Vulnerability Management,The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,"NIST 800-53 r5 SI-3 – MALICIOUS CODE PROTECTION 
+a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
+b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
+c. Configure malicious code protection mechanisms to:
+  1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
+  2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organizationdefined personnel or roles] in response to malicious code detection; and
+d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

 FMCSA GDL 28 Enable security monitoring of the telematics system(s) using native tools",Inspection of vendor-supplied documentation detailing the methods used to protect systems and devices from malicious code.,Medium,"e.g. whitelisting, anti-malware scanning, cryptographic protections",SII-140 (Vulnerability Management) - The vendor shall implement ongoing monitoring and protection against malicious code in production using a well governed process that addresses all entry and exit points in the system.,Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-150,Vulnerability Management,The vendor shall verify code according to best-practice coding standards,"NIST 800-53 SA-15 (7) - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS
-The organization requires the developer of the information system, system component, or
-information system service to:
+",SII-150,Vulnerability Management,The vendor shall verify code according to best-practice coding standards,"NIST 800-53 r5 SA-15 (7) - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS
+Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:
 (a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
 (b) Determine the exploitation potential for discovered vulnerabilities;
 (c) Determine potential risk mitigations for delivered vulnerabilities; and
-(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organizationdefined personnel or roles].","Inspection of vendor-supplied documentation detailing the software development processes of the vendor.
+(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].","Inspection of vendor-supplied documentation detailing the software development processes of the vendor.

 Ensure that the vendor has coding standards that encourage secure code development.",Medium,-,SII-150 (Vulnerability Management) - The vendor shall verify code according to best-practice coding standards,Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-170,System and Information Integrity,"The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components","NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
-The organization:
-a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
-
-b. Generates internal security alerts, advisories, and directives as deemed necessary;
-
-c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
-
-d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
+",SII-170,System and Information Integrity,"The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components","NIST 800-53 r5 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
+a. Receive system security alerts, advisories, and directives from [Assignment: organizationdefined external organizations] on an ongoing basis;
+b. Generate internal security alerts, advisories, and directives as deemed necessary;
+c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
+d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

 FMCSA GDL 8 Decide early who is in charge of creating, implementing, and maintaining software/firmware updates for a device when a vulnerability emerges, and ensure these guidelines are met.","Inspection of vendor process documentation detailing whether alerts, advisories, and directives are monitored and how these items are consumed e.g. email, ticketing system.",Medium,-,"SII-170 (System and Information Integrity) - The vendor shall actively monitor resources such as NIST Common Vulnerabilities and Exposures (CVE), Bugtraq, for security alerts and advisories related to the telematics system’s components",Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
 Cloud or Back-end;
-",SII-171,System and Information Integrity,The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,"NIST 800-53 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
-The organization:
-a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
-
-b. Generates internal security alerts, advisories, and directives as deemed necessary;
-
-c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
-
-d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.",Inspection of vendor process documentation detailing how customers are notified. Confirm that the timelines stated in the vendors notification procedures are acceptable.,Medium,-,SII-171 (System and Information Integrity) - The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,Yes,Yes,Yes,Yes
+",SII-171,System and Information Integrity,The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,"NIST 800-53 r5 SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 
+a. Receive system security alerts, advisories, and directives from [Assignment: organizationdefined external organizations] on an ongoing basis;
+b. Generate internal security alerts, advisories, and directives as deemed necessary;
+c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
+d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.",Inspection of vendor process documentation detailing how customers are notified. Confirm that the timelines stated in the vendors notification procedures are acceptable.,Medium,-,SII-171 (System and Information Integrity) - The vendor shall notify their customers of any vulnerabilities discovered in the telematics systems components via monitoring or vulnerability disclosure programs. The notification to customers will happen in a timely manner.,Yes,Yes,Yes,Yes
 "Mobile App;
 Vehicle Connection;
 Connectivity/Communications;
@@ -993,17 +918,15 @@ Cloud or Back-end;
 ",SII-180,Secure Software Development Lifecycle (SDLC),"Remediation SLA or objectives are defined and are adhered to by the security and development teams. Identified vulnerabilities are remediated or mitigated using suitable compensating controls

-","NIST 800-53 SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
-The organization:
-a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
-
-b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
-
-c. Identifies individuals having information security roles and responsibilities; and
-
-d. Integrates the organizational information security risk management process into system development life cycle activities.
+","NIST 800-53 r5 SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
+a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
+b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
+c. Identify individuals having information security and privacy roles and responsibilities; and
+d. Integrate the organizational information security and privacy risk management process into system development life cycle activities

-NIST 800-53 SI-2 (3) - FLAW REMEDIATION | TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS (a) Measure the time between flaw identification and flaw remediation; and (b) Establish [Assignment: organization-defined benchmarks] for taking corrective actions.
+NIST 800-53 r5 SI-2 (3) - FLAW REMEDIATION | TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS
+(a) Measure the time between flaw identification and flaw remediation; and
+(b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks].

 BSIMM [SM1.4: 101] IDENTIFY GATE LOCATIONS, GATHER NECESSARY ARTIFACTS 
 a. Establish security-specific release gates necessary for go/no-go decisions prior to deployment.

[BenGardiner]

at the 20210614 meeting these changes were reviewed and approved. thank you, @jdaoust 👍